Sleeping With The Phishes

February 15, 2006       Craig Causer      

Cialis. Sons of deposed leaders of the Congo. Hot stock tips. Each is an example of the unwanted greetings popping up throughout email inboxes across the globe.

Blocking that spam has become serious business for Internet Service Providers (ISP) looking to attract a population ever more reliant on email. An Epsilon Interactive/Roper ASW consumer survey conducted in February, 2005, found that 22 percent of American adults switched, or considered switching, their mailbox provider within a six-month period of the study.

As a result, ISPs including America Online, Yahoo! and MSN have been working to develop authentication, accreditation and reputation ( AAR) techniques to protect users from spam. In November, 2005, MSN began flagging potential incoming spam when its servers could not verify senders’ return address information. Any unauthenticated email was promptly transported to the recipients’ junk mail folders.

Just how important the authentication process has become for nonprofits is up for debate. Michael Della Penna, chief marketing officer at Epsilon Interactive and chair of the Direct Marketing Association Council for Responsible Email, said that he believes that it is essential for nonprofits to authenticate their email to ensure the most effective delivery.

Authentication allows the ISP or the receiver to verify that the sender is who they say they are, Della Penna said, and it validates that the “from” address and the IP address are from the same person or company. By authenticating your domain with your IP address, in essence, you’re telling the ISP or the receiver that this IP address belongs to your nonprofit.

The reason that authentication is so important is that ISPs are incorporating it as part of their checks and balances as it relates to incoming email. A nonprofit should want to come on board quickly because it does a number of things including improving their relationship with the ISPs, Della Penna said, since nonprofits would be buying into the requirements that the ISPs are implementing. It allows organizations to be more transparent and accountable.

Authentication is increasingly becoming required for delivery optimization, Della Penna added. Yahoo!, MSN and AOL are all incorporating SPF (Sender

Policy Framework) or DomainKeys checking into their acceptance and whitelisting processes. Many ISPs have begun to include visual identifiers in the actual emails when an email does not pass an authentication check. Della Penna gave the example that, on Yahoo!, you could get a warning on top of a message saying that Yahoo! is unable to verify the sender.

“It also reduces false positives,” Della Penna explained. “As a nonprofit continues to deliver, if you can be validated there is a higher likelihood that the ISP is going to accept that email and you’re not going to be put into the bulk mail folder because you’re part of the whitelisting program. Microsoft/ MSN/Hotmail announced that through their authentication checks, they were able to reduce false positives 5 to 7 percent in the first couple of months alone.”

The easiest and most broadly accepted standard is SPF and the more complicated standard is DomainKeys. For Internet Protocol (IP)-based authentication (or domain level), including Sender ID Framework and SPF, the Domain Name System registry is queried to verify that when an email that claims to be from a specific domain name (for example: @nonprofit.org) its computer server, or IP address, that sent the message has been authorized in the Domain Name System for that domain.

Cryptographic-based authentication (or message-level), such as Yahoo!’s DomainKeys, utilize public/private key pairs that are created by email senders with one of the keys stored in the Domain Name System or other Internet registry, and its matching key used to generate unique message signatures that are embedded in outbound email headers. Mailbox providers authenticate the emails by querying the Domain Name System or other registry to make sure that the signature in the header matches the key stored in the registry. Since DomainKeys utilizes public key encryption, it is more complex to implement. Other than Yahoo!, Google GMail currently utilizes DomainKeys.

As the ISPs continue to offer products and services to fight spam, authentication will be helpful in reducing the clutter since more fraudulent and deceptive emails are going to be stopped at the gateway and not left to sort through in the inbox.

“The whole issue of trust and consumer confidence in email is critical for nonprofits in addition to the ability to protect their brand,” Della Penna said. “For example, the Red Cross, over the past couple of months, has been one of the most phished brands on the Internet because of all its fundraising activity. Authentication is going to protect the brand and improve the trust in their email initiatives. It will allow consumers to further distinguish between what is a legitimate email and what is a phished email.”

While authentication does not hurt an organization’s communications in any way, some believe that there are more basic things that nonprofits should tackle before they worry about email authentication.

“I’m not going to say it’s not important — it’s probably going to become increasingly important — but from what I’ve seen, people need to worry more about the quality of their email list than authentication because that’s where the problems really creep in,” advised Eric Rogers, program fellow at the IT Resource Center in Chicago.

According to Rogers, early returns indicate that spammers are also very good at getting their email addresses authenticated. The system has a lot of growing up to do, he said, and the requirements and the way authentication operates may change due to tweaks in the system.

The IT Resource Center sends out an e-newsletter every two weeks and the organization has yet to authenticate its email address. Rogers said that there has been no problem getting through to clients who use Yahoo!, Hotmail and the major providers.

“The most basic thing you can do is to send your institutional emails from the same address and send them consistently,” Rogers explained. “Don’t have email blasts going out from different personal email accounts. All of ours come from our development/marketing associates’ email address so people have whitelisted that address. They know who it is when they see it in their email inbox.”

The progression of email tactics, Rogers added, is to get your list under control, use good methods to build your list and remain conscientious about keeping it clean. Once those endeavors have been accomplished then it’s time to move toward authentication.

Beating negative response

Although positive email authentication serves as only a minor benefit to email deliverability, one of the areas where it can add real value is the use of negative email authentication in combating phishing scams, said David Crooke, chief technology officer at constituent relationship management solutions provider, Convio.

Phishing is not an issue for 99.99 percent of non-profits, Crooke said, but it can affect large fundraising organizations particularly in the time of crisis, as with Hurricane Katrina. By having email authentication in place, it allows an ISP’s spam filters to spot email from phishers that has been forged to appear to come from the organization’s regular email “from” address.

“Another way some organizations are protecting their communication is by asking their opt-in members to add them to their email preferences lists, thereby whitelisting them and allowing the organizations’ email to get through any spam blockers,” Crooke added. “But you can’t always rely on people following through on those requests so authenticating your email will also help on the server level.”

Whether or not authentication should be a high priority, there is no debate that it does not take much of an effort to authenticate an email address. Since there’s definitely no harm in doing so, and it takes less than an hour of an IT person’s time, nonprofits should go ahead with the process, Crooke advised.

Epsilon Interactive’s Della Penna believes that more education throughout the sector is needed. “ I think the concern is, if a nonprofit is sending an email itself, because there’s such a focus on direct mail, it’s probably not an issue that is front and center for them. But if a nonprofit has outsourced its email to a vendor, it’s probably already taken care of for them.” DRFE

NonProfit  Times
The Leading Business Publication For Nonprofit Management